v6.1.0
Release Highlights
- Redis session stores now support authenticated connections
- Error logging can now be separated from info logging by directing error logs to stderr
- Added --session-cookie-minimal flag which helps prevent large session cookies
- Improvements to force-https behaviour
- Allow requests to skip authentication based on their source IP
Important Notes
- #632 There is backwards compatibility to sessions from v5
- Any unencrypted sessions from before v5 that only contained a Username & Email will trigger a reauthentication
Breaking Changes
N/A
Changes since v6.0.0
- #742 Only log no cookie match if cookie domains specified (@JoelSpeed)
- #562 Create generic Authorization Header constructor (@JoelSpeed)
- #715 Ensure session times are not nil before printing them (@JoelSpeed)
- #714 Support passwords with Redis session stores (@NickMeves)
- #719 Add Gosec fixes to areas that are intermittently flagged on PRs (@NickMeves)
- #718 Allow Logging to stdout with separate Error Log Channel
- #690 Address GoSec security findings & remediate (@NickMeves)
- #689 Fix finicky logging_handler_test from time drift (@NickMeves)
- #700 Allow OIDC Bearer auth IDTokens to have empty email claim & profile URL (@NickMeves)
- #699 Align persistence ginkgo tests with conventions (@NickMeves)
- #696 Preserve query when building redirect
- #561 Refactor provider URLs to package level vars (@JoelSpeed)
- #682 Refactor persistent session store session ticket management (@NickMeves)
- #688 Refactor session loading to make use of middleware pattern (@JoelSpeed)
- #593 Integrate upstream package with OAuth2 Proxy (@JoelSpeed)
- #687 Refactor HTPasswd Validator (@JoelSpeed)
- #624 Allow stripping authentication headers from whitelisted requests with
--skip-auth-strip-headers
(@NickMeves) - #673 Add --session-cookie-minimal option to create session cookies with no tokens (@NickMeves)
- #632 Reduce session size by encoding with MessagePack and using LZ4 compression (@NickMeves)
- #675 Fix required ruby version and deprecated option for building docs (@mkontani)
- #669 Reduce docker context to improve build times (@JoelSpeed)
- #668 Use req.Host in --force-https when req.URL.Host is empty (@zucaritask)
- #660 Use builder pattern to simplify requests to external endpoints (@JoelSpeed)
- #591 Introduce upstream package with new reverse proxy implementation (@JoelSpeed)
- #576 Separate Cookie validation out of main options validation (@JoelSpeed)
- #656 Split long session cookies more precisely (@NickMeves)
- #619 Improve Redirect to HTTPs behaviour (@JoelSpeed)
- #654 Close client connections after each redis test (@JoelSpeed)
- #542 Move SessionStore tests to independent package (@JoelSpeed)
- #577 Move Cipher and Session Store initialisation out of Validation (@JoelSpeed)
- #635 Support specifying alternative provider TLS trust source(s) (@k-wall)
- #649 Resolve an issue where an empty healthcheck URL and ping-user-agent returns the healthcheck response (@jordancrawfordnz)
- #662 Do not add Cache-Control header to response from auth only endpoint (@johejo)
- #552 Implements --trusted-ip option to allow clients behind specified IPs or CIDR ranges to bypass authentication (@Izzette)
- #733 dist.sh: remove go version from asset links (@syscll)